We need to capture packets as they pass through a router. We plan to use a capture unit with two NICs capturing from both with a single instance of dumpcap. This gives us traffic from both interfaces in a single pcapng file with frames from each NIC distinguished with the Interface Number. I decided to test this with the following setup. The capture worked OK but every data packet has a TCP Retransmission partner, and ACK packet has a Dup ACK partner. I did suspect this would happen, hence the test. Is there a way to supress this? I'd like to be able to see true TCP Retransmissions but not have them flagged for the same packet appearing on another interface. asked 29 Aug '15, 08:44 PaulOfford |
One Answer:
This may explain the reason why this happens, plus how to get around it: https://blog.packet-foo.com/2015/03/tcp-analysis-and-the-five-tuple/ answered 29 Aug '15, 08:56 Jasper ♦♦ |
What I would really like is a TCP Preference option that forces Wireshark to add interface number to the 5-tuple (a 6-tuple).
It needs to be an option because you might want the packets from two interfaces to be treated as one aggregate flow - e.g. SPANs or TAPs on teamed adapter interfaces.
I just wondered if anyone had discovered a trick to overcome the issue.
As far as I know there is no trick, as long as you want to keep the duplicate packets in the same file.
You might want to open a Feature Request at http://bugs.wireshark.org for the 6-tuple ;-)